C-Level Executives Weigh In On Information Security

Our survey results show CXOs "get it." Here's how to turn that common focus into stronger security.

When it comes to information security, your non-IT execs just might "get it."

Our InformationWeek Analytics survey of 326 business technology professionals suggests that C-level executives not only recognize the importance of information security, but they actively support their IT organizations' efforts to protect corporate assets and reduce risk.

Frankly, we're a bit surprised by these results. We hear rants from IT pros about stingy executives who are ignorant of critical security issues and regard security as an impediment to doing business.

Indeed, conflicts between executives and IT organizations are still common, our follow-up interviews reveal. Moneymaking opportunities that present considerable security risks still go forward over the objections of information security teams. Conversely, security teams don't always appreciate that risk can't be entirely eliminated, or that some security measures go so far as to make information and technology too cumbersome to be useful.

McNabb's goal: "bombproof
from the get-go"Photo by Chris Crisman

Among the more security-minded executives we interviewed, William McNabb, CEO of investment firm Vanguard Group, sums up his company's information security responsibility this way: "We manage more than a trillion dollars of other people's money. That's important trust they've placed with us, and we have to do everything in our power to protect it." Our senior-level readers agree, as 75% of survey respondents say information security is among the highest of corporate priorities.

We see four reasons for this high level of executive support. First is the rise of high-volume theft of credit card information, Social Security numbers, and other personal data. Such attacks began to make headlines in 2005, when DSW Shoe Warehouse and ChoicePoint were hit. In the DSW case, thieves stole 1.4 million credit card numbers from stores in 25 states. Meanwhile, poor controls at ChoicePoint enabled scam artists posing as legitimate businesses to access consumer records and perpetrate identity theft. Since then, a string of larger information thefts from the likes of the Hannaford Bros. grocery chain, job site Monster.com, retailer TJX, and, most recently, Heartland Payment Systems has put executives on notice: Such breaches can no longer be dismissed as merely isolated incidents.

Second, the high-profile thefts have triggered a number of state breach-disclosure laws, which compel companies to publicize the theft or loss of personally identifiable information. Companies also face industry data-protection standards, the most prominent of which is the Payment Card Industry Data Security Standard, which requires a variety of security measures for businesses that accept and process credit cards.

The third trend changing executives' attitudes about security is the rising cost of information breaches. From lawsuit payouts to fines to the expense of setting up credit-monitoring services for victimized customers, execs can see exactly how much a security failure costs.

U.S. companies paid an average of $202 per exposed record in 2008, up from $197 in 2007, according to a report by the Ponemon Institute, a privacy management researcher. The report also says the average total cost per breach for each company was $6.6 million in 2008, up from $6.3 million in 2007 and $4.7 million in 2006.

The fourth major trend is the damage to a company's brand and reputation. While it's hard to put a price on the loss of customer trust or efforts to repair a brand, no CEO wants to have to try to do that math.